Simply put, the EU-US Privacy Shield is a commitment that American organizations make to the U.S. Department of Commerce (DOC) International Trade Administration (ITA) through self-certification to protect the fundamental rights of EU subjects when these organizations transfer personal information of European Union subjects across EU borders. They are committed to handling personal data adequately according to a set of seven Privacy Shield principles or requirements as enshrined in this trans-border framework between the U.S. and the EU.

How Many Organizations Have Self-Certified?

About 4,000+ companies have certified through self-assessment or through an independent third party.

Who are some of these organizations?

Microsoft, Facebook, Google, etc., to name a few big names. But there are others that aren’t so big. Here’s the full list.

Does This Framework Require Reporting Directly To EU Authorities?

No, the Federal Trade Commission (FTC) is the authority responsible for enforcing compliance with the Privacy Shield principles. The Department of Commerce is responsible for administering Privacy Shield application, certification, renewal processes, and guidelines. DOC also maintains a listof certified businesses. You must first become a member of ITA before applying for Privacy Shield certification. It’s best to first reach out to DOC for assistance before you fill-out the application form to begin the process. Once in, you’re in it for good and will be regulated, however, your organization may withdraw but it involves a process. Privacy Shield replaced a 15 year-old, Safe Harbor, trans-border personal data transfer mechanism that was invalided by the EU Court of Justice in 2015 as inadequate in protecting EU subjects’ privacy rights in the U.S.

So, What Are The EU-US Privacy Shield Principles?

The Privacy Shield principles are very similar to GDPR principles. They include Notice, Choice, Accountability for Onward Transfers, Security, Access, Data Integrity & Purpose Limitation, and Recourse, Enforcement, & Liability.

Let’s summarize.

Principle 1: Notice

Notification is when you inform the individual whose data you transfer that your business is a certified Privacy Shield business. For example, it should be obvious by the looks of your privacy notice (for example, privacy policy on your website). Individuals should know the types of personal data you’re collecting, purpose, use, and third parties you’ll disclose the data to or share with. Of course, just like GDPR you’ll also need to let EU data subjects know how they can exercise their rights.

Principle 2: Choice

Similar to GDPR, getting consent is important. Even more important is making sure individuals can make clear decisions about their preferences on disclosure and use of their personal information.

Principle 3: Accountability for Onward Transfers

If your business works with partners or third parties to process personal data transferred from the EU, you’re responsible for ensuring adequate data protection in third party contractual agreement align your notice to data subjects and business obligations to EU data subjects and the Privacy Shield. Otherwise, your business bears the liability in the event of a breach.

Principle 4: Security

Assess your risks for processing personal data and determine what security measure will be appropriate to reduce the risks. Implement the safeguards to protect personal data against unauthorized disclosure, use, access, modification.

Principle 5: Data Integrity & Purpose Limitation

Maintaining data quality is crucial. Data integrity means data is accurate and relevant for its purpose or use and not corrupted with errors or is incomplete.

Principle 6: Access

EU data subjects have privacy rights and should exercise them. Your business is responsible for providing a mechanism to data subjects to exercise their rights. Among these rights are, the right to access, rectify, restrict processing, and delete personal data held about them.

Principle 7: Recourse, Enforcement, & Liability

Have a process for resolving data subjects’ complaints. From your notice or website, give data subjects access to a link, email, or portal where disputes can be properly handled, resolved, and documented.

Does EU-US Privacy Shield Apply to My Business?

It depends if your business relies on transatlantic or trans-border data transfers. But, before you apply for EU-US Privacy Shield certification ensure that your business is already implementing the seven principles and is compliant.

Consider the quality of your corporate structure, privacy program, contracts, third party or vendor management, and alternative current data transfer mechanisms. Assess your business needs, size, and markets, and how data flows or is distributed for processing. Your business may work toward readiness to apply for certification. Until then it’s not advisable to start the process if your business may end up struggling to comply.

Certification is voluntary. EU-US Privacy Shield aligns with GDPR requirements so if GDPR applies to your business you’re responsible for compliance with both GDPR and the Privacy Shield (after self-certifying with Privacy Shield). Like most American organizations you may be relying on other justifications (Binding Corporate Rules, Ad Hoc Clauses, Model Clauses, Consent, Codes of Conduct, etc.,) for trans-border transfers or for processing personal data from the EU. Consider EU-US Privacy certification as ‘extra-credit” in the eyes of enforcement authorities. There are many other benefits.